ART & CULTURE

New Microsoft SharePoint Exploit Allows Hackers to Take Over Servers—Here’s How to Stop It

Published

3 months ago

on

CVE-2023-29357 allows attackers to forge tokens and gain administrative control over SharePoint servers, paving the way for full remote code execution in enterprise environments.

Critical Microsoft SharePoint Exploit Allows Remote Code Execution—Here’s How It Works and How to Fix It

By EL Ouchen, International Cybersecurity Correspondent
July 20, 2025

A critical security flaw in Microsoft SharePoint, designated CVE-2023-29357, is actively being exploited in combination with other vulnerabilities to gain remote code execution (RCE) capabilities on enterprise systems. Security experts warn that organizations using unpatched versions of SharePoint Server 2019 or the Subscription Edition are at serious risk of data breach, privilege escalation, or full network compromise.

🧠 Deeper Technical Analysis: CVE-2023-29357

CVE-2023-29357 is a privilege escalation vulnerability that, on its own, allows an unauthenticated attacker to impersonate an admin user. When chained with CVE-2023-24955 (a deserialization flaw), it results in remote code execution.

How the Attack Works – Step by Step

  1. Token Forgery (CVE-2023-29357):
    SharePoint uses JSON Web Tokens (JWT) signed by trusted OAuth certificates to manage claims and user identity. This flaw allows an attacker to create a forged JWT token and trick the server into believing the request comes from a legitimate admin user.
  2. Bypassing Authentication:
    The forged token bypasses SharePoint’s claims-based authentication. The attacker impersonates a high-privilege user and obtains access to restricted areas of the SharePoint portal.
  3. Chaining to Remote Code Execution (CVE-2023-24955):
    With admin privileges gained, the attacker can:
    • Upload a malicious .aspx file to a SharePoint document library
    • Trigger server-side .NET deserialization, executing arbitrary payloads
    • Leverage DLL injection or use SharePoint Management Shell to execute PowerShell

Key Exploit Characteristics:

  • No prior authentication required
  • Works over standard HTTP/HTTPS ports
  • Can be weaponized in wormable or automated fashion
  • Exploitable in both on-prem and hybrid SharePoint deployments

🛡️ Detection and Indicators of Compromise (IoCs)

Check logs for:

  • Abnormal use of /_api/web endpoints with unknown tokens
  • Unusual POST requests with forged JWT headers
  • Unusual file uploads with .aspx, .ps1, or DLL extensions
  • Unauthorized user accounts or sudden privilege changes

Command Injection Example:

powershell

$jwt = Generate-JWT -Claims @{ "upn"="admin@corp.com" }
Invoke-WebRequest -Uri "https://victim-site/_api/web" -Headers @{ Authorization = "Bearer $jwt" }

🔧 Mitigation & Fix Strategy

1. Apply Official Microsoft Patches Immediately

Microsoft released a fix in June 2023 Patch Tuesday. The relevant KB articles are:

Ensure that patches are applied to both front-end and backend application servers.

2. Harden Token Validation

  • Configure SharePoint to only accept tokens from trusted issuers
  • Disable weak signing algorithms (e.g., none, HS256 if applicable)
  • Use auditing tools to validate JWT signature checks are enforced properly

3. Review & Restrict Upload Policies

  • Disable direct upload of .aspx, .exe, .ps1, and .dll file types
  • Use virus/malware scanning on document libraries
  • Apply least-privilege permissions for all file upload endpoints

4. Monitor for Exploit Behavior

  • Set up alerts for unusual admin activity or access to /_layouts/15/settings.aspx
  • Monitor command execution using Sysmon, Defender for Identity, or EDR tools
  • Enable PowerShell script block logging

5. Harden Infrastructure

  • Place SharePoint behind Web Application Firewalls (WAFs) with JWT anomaly rules
  • Isolate SharePoint servers in separate network zones
  • Restrict internet access unless absolutely necessary

🌍 Why This Matters Globally

Microsoft SharePoint is a foundational collaboration and document management platform for:

  • . Governments
  • . Fortune 500 companies
  • . Educational institutions
  • . Healthcare providers

A compromised SharePoint server becomes a stepping stone into wider enterprise networks, potentially exposing:

  • . Legal contracts
  • . Patient records
  • . M&A strategy documents
  • . Active Directory integrations

“This flaw is not just a security risk—it’s a trust issue in enterprise architecture,” said Angela Wei, Director of Threat Research at Palo Alto Networks. “Organizations must treat collaboration software as Tier 1 critical infrastructure.”

🧭 Summary: What You Must Do Now

ActionPriority
Apply Microsoft patches (June 2023)✅ Immediate
Audit admin logins and token activity✅ Immediate
Monitor file uploads and access logs✅ High
Block .aspx and script-based uploads✅ High
Harden token validation configuration✅ Medium

Related Topics:

Trending

Exit mobile version